Help! I Need to Respond to All These Cisco IOS Software Vulnerabilities and I Cannot Scale!!!

No software is immune to security vulnerabilities. The time between the discovery and disclosure of security vulnerabilities and the availability of an exploit is getting shorter. This imposes pressures on network security professionals and information technology (IT) managers to quickly respond to security vulnerabilities or apply mitigation in their network. Many organizations are struggling to keep up-to-date with the constant release of new vulnerabilities and software fixes. At the same time, they are under pressure to provide near 100% availability of key business services and systems.

As an example, every time Cisco discloses a security vulnerability for Cisco IOS Software (or any given product), network security administrators have to identify affected devices and (in numerous cases) upgrade such devices. These activities can take hours, days, or even weeks depending on the size of the organization. For instance large enterprises and organizations may have thousands of routers and switches that need to be assessed for the impact of any given vulnerability.

Most security and network administrators are seeking ways to leverage standards and available tools to reduce the complexity and time necessary to respond to security advisories, assess devices, and ensure compliance. All these challenges make it almost impossible for a security or network administrator to decide what changes are needed on endpoints or networking devices. Additionally, administrators must determine how to implement those changes quickly, correctly, and consistently.

SCAP was created to provide a standardized solution for security automation. The SCAP mission is to maintain system security by ensuring security configuration best practices are implemented in the enterprise network, verifying the presence of patches, and maintaining complete visibility of the security posture of systems and the organization at all times.

The current SCAP specifications include the following:

Languages

Open Vulnerability and Assessment Language (OVAL): OVAL is an international community standard to promote open and publicly available security content and to standardize the transfer of this information in security tools and services. More information about OVAL is available at http://oval.mitre.org.

Extensible Configuration Checklist Description Format (XCCDF): XCCDF is a specification for a structured collection of security checklists and benchmarks. More information about XCCDF is available at http://scap.nist.gov/specifications/xccdf.

Open Checklist Interactive Language (OCIL): OCIL is a framework for collecting and interpreting responses from questions offered to users. More information about OCIL is available at: http://scap.nist.gov/specifications/ocil.

Asset Identification (AI): AI is a specification designed to quickly correlate different sets of information about enterprise computing assets. More information about AI is available at http://scap.nist.gov/specifications/ai.

Asset Reporting Format (ARF): ARF is a specification that defines the transport format of information about enterprise assets and provides a standardized data model to streamline the reporting of such information. More information about ARF is available at http://scap.nist.gov/specifications/arf.

Common Vulnerabilities and Exposures (CVE): CVE assigns identifiers to publicly known system vulnerabilities. Cisco assigns CVE identifiers to security vulnerabilities according to the Cisco public vulnerability policy. More information about CVE is available at http://cve.mitre.org.

Common Platform Enumeration (CPE): CPE is a standardized method of naming and identifying classes of applications, operating systems, and hardware devices. More information about CPE is available at http://cpe.mitre.org.

Common Configuration Enumeration (CCE): CCE provides unique identifiers for configuration guidance documents and best practices. The main goal of CCE is to enable organizations to perform fast and accurate correlation of configuration issues in enterprise systems. More information about CCE is available at http://cce.mitre.org.Note: Other community-developed enumerators, such as the Common Weakness Enumeration (CWE), are currently being expanded and further developed. CWE is a dictionary of common software architecture, design, code, or implementation weaknesses that could lead to security vulnerabilities. More information about CWE is available from http://cwe.mitre.org. Another emerging enumerator is the Common Remediation Enumeration (CRE). More information about CRE is available at http://scap.nist.gov/specifications/cre.

Metrics

Common Vulnerability Scoring System (CVSS): CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine the urgency and priority of response. Cisco provides a base and temporal CVSS score for each vulnerability that is disclosed via security advisories and other disclosure methods. Customers can compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has a FAQ regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss.
More information about CVSS is available at http://www.first.org/cvss.

The following provides a simple example of how an administrator can use an OVAL scanner to connect to several Cisco IOS routers over SSH and check them for the presence of vulnerabilities, configuration issues, and installed software.

Assessment of Cisco IOS Devices Using OVAL

OVAL Definitions

OVAL definitions are XML files that contain information about how to check a system for the presence of vulnerabilities, configuration issues, patches, installed applications, or other characteristics. For vulnerability checks, definitions are written to check for a vulnerability identified by a specific CVE identifier.
There are four main use cases, also called “classes,” of OVAL definitions:

Vulnerability: Determine the presence of a vulnerability on the system being tested

Compliance: Validate a device configuration against a known or approved valid configuration

Inventory: Check for a specific software installed on the system

Patches: Find a specific patch on the system

Downloading Cisco OVAL Content

OVAL content (often called “definitions”) can be downloaded directly from Cisco IOS Software security advisories. Each of these advisories includes a link to the corresponding OVAL definition(s). Currently only Cisco IOS Software is supported. Cisco is working with MITRE and the OVAL community to enhance and develop new schemata to better support Cisco IOS Software and possibly other Cisco products. OVAL enables interoperability between security and network management products from different vendors in different vertical markets, allowing them to quickly and automatically perform vulnerability and compliance assessment of network infrastructure and networking devices. Many vendors are working on integrating Cisco IOS Software schemata support into their products.

Please Provide Us Feedback and Comments!

Whether you are exploring security automation capabilities such as OVAL/SCAP; or have already implemented solutions that support OVAL/SCAP (or any other security automation standard or offering), please post your comments here or ask any questions.

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

All comments in this blog are held for moderation. Your comment will not display until it has been approved

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.